lorenzo/servers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Lebesque Configuration.

Browse source
This commit is contained in:
Lorenzo Good 2025-02-03 13:00:31 -06:00
parent b2595f1936
commit 859556d0e6
Signed by: lorenzo
GPG key ID: 7FCD64BD81180ED0
18 changed files with 386 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

10
machines/lebesgue/.sops.yaml Normal file
View file

@ -0,0 +1,10 @@
keys:
- &admin_foehammer A972C2063F4F2554
- &server age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_foehammer
age:
- *server

33
machines/lebesgue/config/configuration.nix Normal file
View file

@ -0,0 +1,33 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
./hardware-configuration.nix
];
foehammer = {
users.admin = {
enable = true;
hashedPasswordFile = config.sops.secrets.admin-password.path;
};
};
services.tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tskey.path;
openFirewall = true;
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
i18n.defaultLocale = "en_US.UTF-8";
networking.firewall.allowedTCPPorts = [22];
networking.firewall.trustedInterfaces = ["tailscale0"];
system.stateVersion = "24.11";
}

51
machines/lebesgue/config/hardware-configuration.nix Normal file
View file

@ -0,0 +1,51 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
services.qemuGuest.enable = true;
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["btrfs"];
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = ["subvol=root" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
neededForBoot = true;
options = ["subvol=nix" "defaults" "noatime" "compress=zstd:3" "discard=async" "nodatacow"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
neededForBoot = true;
options = ["subvol=persist" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
options = ["fmask=0077" "dmask=0077"];
};
swapDevices = [];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

10
machines/lebesgue/config/secrets.nix Normal file
View file

@ -0,0 +1,10 @@
{...}: {
sops = {
defaultSopsFile = ../secrets/main.yaml;
secrets = {
admin-password.neededForUsers = true;
tskey = {};
};
};
}

5
machines/lebesgue/deploy Executable file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env bash
nix flake lock --update-input common
nixos-rebuild switch --flake .#default --target-host admin@lebesgue --use-remote-sudo --build-host localhost --verbose

125
machines/lebesgue/flake.lock generated Normal file
View file

@ -0,0 +1,125 @@
{
"nodes": {
"common": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1,
"narHash": "sha256-WEokvgGDzO4WVp5gHu9rZVPyNzMdLuX8dMV/Zhf9OwQ=",
"path": "../../nixos",
"type": "path"
},
"original": {
"path": "../../nixos",
"type": "path"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1737672001,
"narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1738435198,
"narHash": "sha256-5+Hmo4nbqw8FrW85FlNm4IIrRnZ7bn0cmXlScNsNRLo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f6687779bf4c396250831aa5a32cbfeb85bb07a3",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1731763621,
"narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"common": "common",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1738291974,
"narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

34
machines/lebesgue/flake.nix Normal file
View file

@ -0,0 +1,34 @@
{
inputs = {
common.url = "path:../../nixos";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
sops-nix = {
url = "github:Mic92/sops-nix";
};
};
outputs = inputs @ {common, ...}: let
supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
forAllSystems = inputs.nixpkgs.lib.genAttrs supportedSystems;
buildNixpkgs = system:
import inputs.nixpkgs {
inherit system;
overlays = [];
};
in {
nixosConfigurations.default = let
config = common.lib.utils.findNixFiles ./config;
modules = [inputs.sops-nix.nixosModules.sops inputs.common.nixosModules.default];
in
common.lib.mkSystem "lebesgue" "x86_64-linux" (config ++ modules);
devShells = forAllSystems (system: let
pkgs = buildNixpkgs system;
in {
default = pkgs.mkShell {
buildInputs = with pkgs; [sops];
};
});
};
}

33
machines/lebesgue/secrets/main.yaml Normal file
View file

@ -0,0 +1,33 @@
admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str]
tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc3BBZy82TWZHVENPclF3
ZTQ3SGlSWUVmMEYyU29EZFR2QVJIcWFraXhrCjhqWTdzM2N0OHlYeWlpKzg4bks4
NFV6S0hPeXF2bS95TGcwZUloajA0NDQKLS0tIHdXSjRIbVdEYzk5RCt1SkZ3aEpz
L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-03T20:29:36Z"
mac: ENC[AES256_GCM,data:mdK+B9R2THvjrKGlghcVVzCSSOnsJe9AqjMkj8H80l+Ij2SLPw/tS+/EgVwD6f87QGdV0o4U482CZc4GzbvrwdZgwYcjd2v2z7qUurDuga4SD/ex3czV43dmfzgePPnhVV60bVVfRebsuUdf48wwnZ8WA5aNtUxcFhoJ9zUaMjs=,iv:sMU3YgIVfynURvN6Jv8ixB7q4IuRYSGxvyRw4KhQwjg=,tag:4sRYLtAwkBBERdPS9qY/+w==,type:str]
pgp:
- created_at: "2025-02-03T18:58:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAV8/dSUlY3Jr6yJhlenXAT92i+tJFSm+ONcz6XZfwO1Mw
KfRNkkoGMf8vE+Z4ErTnCwhF5Pl91/MKVrCQS6GRf6MHbkdsYdMjQspwr9nINrks
0lwBdtwQh9b0knhD/oL6MHm6NCHgq9E+Si7DuRXvF0X0g4AWlg1sobGmzITTXThd
+Y4fQySm4PYCe4fMtrGeTVoL7glhovdxk/DwRKkujhmB57WsGiEPL+Suc/fXYQ==
=b0W0
-----END PGP MESSAGE-----
fp: A972C2063F4F2554
unencrypted_suffix: _unencrypted
version: 3.9.4

1
nixos/common/caddy.nix
View file

@ -1,6 +1,7 @@
{ {
config, config,
lib, lib,
...
}: let }: let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
cfg = config.foehammer.caddy; cfg = config.foehammer.caddy;

1
nixos/common/nixos.nix
View file

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
...
}: let }: let
inherit (lib) mkIf; inherit (lib) mkIf;
in { in {

23
nixos/common/services/vaultwarden.nix
View file

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
...
}: let }: let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib) mkEnableOption mkIf mkOption;
@ -32,21 +33,23 @@ in {
}; };
}; };
config.services.vaultwarden = mkIf cfg.enable { config = mkIf cfg.enable {
enable = true; services.vaultwarden = {
enable = true;
config = { config = {
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port; ROCKET_PORT = cfg.port;
DOMAIN = cfg.domain; DOMAIN = cfg.domain;
ROCKET_LOG = "critical"; ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = cfg.signups; SIGNUPS_ALLOWED = cfg.signups;
};
environmentFile = cfg.envPath;
}; };
foehammer.backups.paths = [ foehammer.backups.paths = [
"/var/lib/bitwarden_rs" "/var/lib/bitwarden_rs"
]; ];
environmentFile = cfg.envPath;
}; };
} }

7
nixos/common/sudo.nix Normal file
View file

@ -0,0 +1,7 @@
{...}: {
security.sudo = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
}

12
nixos/common/users/admin.nix
View file

@ -4,10 +4,16 @@
foelib, foelib,
... ...
}: let }: let
inherit (lib) mkIf mkEnableOption optionals; inherit (lib) mkIf mkOption mkEnableOption optionals types;
cfg = config.foehammer.users.admin; cfg = config.foehammer.users.admin;
in { in {
options.foehammer.users.admin.enable = mkEnableOption "Enable a wheel admin user."; options.foehammer.users.admin = {
enable = mkEnableOption "Enable a wheel admin user.";
hashedPasswordFile = mkOption {
type = with types; nullOr str;
default = null;
};
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.admin = { users.users.admin = {
createHome = true; createHome = true;
@ -19,6 +25,8 @@ in {
uid = 9999; uid = 9999;
openssh.authorizedKeys.keys = foelib.getSSHKeys "foehammer"; openssh.authorizedKeys.keys = foelib.getSSHKeys "foehammer";
hashedPasswordFile = cfg.hashedPasswordFile;
}; };
users.groups.admin.gid = config.users.users.admin.uid; users.groups.admin.gid = config.users.users.admin.uid;

4
nixos/flake.nix
View file

@ -30,11 +30,11 @@
}; };
flake = { flake = {
lib = import ./lib; lib = import ./lib inputs.nixpkgs withSystem;
overlays.default = final: prev: (import ./lib/packages.nix prev); overlays.default = final: prev: (import ./lib/packages.nix prev);
nixosModules.default = {...}: { nixosModules.default = {...}: {
imports = self.lib.utils.findNixFiles ./nixos; imports = self.lib.utils.findNixFiles ./common;
}; };
}; };
}); });

4
nixos/lib/default.nix
View file

@ -1,5 +1,5 @@
{ nixpkgs: withSystem: {
utils = import ./utils.nix; utils = import ./utils.nix;
getSSHKeys = (import ./keys.nix).getSSHKeys; getSSHKeys = (import ./keys.nix).getSSHKeys;
mkSystem = (import ./nixos.nix).mkSystem; mkSystem = (import ./nixos.nix nixpkgs withSystem).mkSystem;
} }

14
nixos/lib/keys.nix
View file

@ -1,4 +1,6 @@
rec { let
utils = import ./utils.nix;
in rec {
getSSHKeys = name: (getKeySets ../keys)."${name}"; getSSHKeys = name: (getKeySets ../keys)."${name}";
getKeySets = dir: let getKeySets = dir: let
@ -10,19 +12,11 @@ rec {
if type == "regular" if type == "regular"
then [ then [
{ {
name = getName name; name = utils.getName name;
value = builtins.attrValues (import path); value = builtins.attrValues (import path);
} }
] ]
else []; else [];
in in
builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries))); builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries)));
getName = filename: let
parts = builtins.split "\\." filename;
base = builtins.head (builtins.split "\\." filename);
in
if builtins.length parts == 1
then filename
else base;
} }

44
nixos/lib/nixos.nix
View file

@ -1,25 +1,25 @@
let nixpkgs: withSystem: let
foelib = import ./default.nix; foelib = import ./default.nix nixpkgs withSystem;
in { in {
mkSystem = nixpkgs: pkgs: hostname: modules: mkSystem = hostname: host-platform: modules:
nixpkgs.lib.nixosSystem { withSystem host-platform
modules = ({pkgs, ...}:
[ nixpkgs.lib.nixosSystem {
{ modules =
nix.registry = { [
nixpkgs.flake = nixpkgs; {
p.flake = nixpkgs; nix.registry = {
}; nixpkgs.flake = nixpkgs;
nixpkgs.pkgs = pkgs; p.flake = nixpkgs;
};
nixpkgs.pkgs = pkgs;
networking.hostname = hostname; networking.hostName = hostname;
} }
] ]
++ modules ++ modules;
++ foelib.utils.findNixFiles ../nixos; specialArgs = {
inherit hostname foelib;
specialArgs = { };
inherit hostname foelib; });
};
};
} }

25
nixos/lib/utils.nix
View file

@ -1,6 +1,6 @@
rec { rec {
findNixFiles = dir: let findNixFiles = dir: let
inherit (builtins) attrNames readDir pathExists concatMap hasSuffix; inherit (builtins) attrNames readDir pathExists concatMap;
# Helper function to build full paths # Helper function to build full paths
fullPath = name: dir + "/${name}"; fullPath = name: dir + "/${name}";
@ -16,11 +16,32 @@ rec {
path = fullPath name; path = fullPath name;
type = contents.${name}; type = contents.${name};
in in
if type == "regular" && hasSuffix ".nix" name if type == "regular" && hasSuffix "nix" name
then [path] then [path]
else if type == "directory" && pathExists path else if type == "directory" && pathExists path
then findNixFiles path then findNixFiles path
else []; else [];
in in
concatMap processItem names; concatMap processItem names;
getName = filename: let
parts = builtins.split "\\." filename;
base = builtins.head (builtins.split "\\." filename);
in
if builtins.length parts == 1
then filename
else base;
getSuffix = filename: let
parts = builtins.split "\\." filename;
end = builtins.tail (builtins.split "\\." filename);
in
if builtins.length parts == 1
then filename
else builtins.elemAt end (builtins.length end - 1);
hasSuffix = suffix: filename:
if (getSuffix filename) == suffix
then true
else false;
} }